Have you ever got annoyed by this popup?

I got curious where they come from and after running sysmon I quickly discovered they come from the invocation of MusNotification.exe and MusNotificationUx.exe.

This one in particular is a lunch of:

MusNotificationUx.exe Dialog_EngagedFourthReminder 0

The Dialog_xxx is a very unique keyword, so after quick search I discovered the whole gamut of similar messages hidden inside the UserProcess:: GetNotificationCommandLineArguments routine inside the MusNotification.exe:

• Dialog_AllowSchedulingFirstReminder
• Dialog_AllowSchedulingForcedReminder
• Dialog_AllowSchedulingPerAUPolicy
• Dialog_AllowSchedulingRebootFailed
• Dialog_AllowSchedulingSecondReminder
• Dialog_AllowSchedulingThirdReminder
• Dialog_AllowSchedulingWarning
• Dialog_CantDownloadUpdate
• Dialog_CantInstallUpdate
• Dialog_DataMigrationFailed
• Dialog_DownloadAvailable
• Dialog_DownloadNeedUserAgreementPerCTA
• Dialog_EngagedFourthReminder
• Dialog_EnhancedEngagedAcceptAuto
• Dialog_EnhancedEngagedForcedPrecursor
• Dialog_EnhancedEngagedForcedWarning
• Dialog_EnhancedEngagedRebootFailed
• Dialog_EnhancedEngagedRebootImminent
• Dialog_EnhancedEngagedRebootReminder
• Dialog_EnhancedEngagedSecondRebootReminder
• Dialog_ExpeditedReboot
• Dialog_InstallNeedEula
• Dialog_InstallNeedUserAgreement
• Dialog_LowUptime
• Dialog_PolicyDeadlineApproaching
• Dialog_PolicyDeadlineEngagement
• Dialog_PolicyDeadlineRebootFailed
• Dialog_PolicyDeadlineRebootImminent
• Dialog_PolicyDeadlineUserScheduled
• Dialog_RebootActiveHoursForcedReminder
• Dialog_RebootActiveHoursForcedWarning
• Dialog_RebootActiveHoursImminent
• Dialog_RebootActiveHoursUserSelected
• Dialog_RebootImminent
• Dialog_RebootPolicyEnabledForcedWarning
• Dialog_RebootPostponeMgmt
• Dialog_RebootWarning
• Dialog_ScheduleUpdate
• Dialog_ScheduleUpdateFailed
• Dialog_SuggestedActiveHours

You can pick up any of them and run via a similar invocation using MusNotificationUx.exe e.g.

MusNotificationUx.exe Dialog_CantDownloadUpdate 0

and others:

Apart from being a gimmick these invocations could be a good social engineering add-on to malware repertoire, and would certainly add a lot of credibility to rogue antispyware software back in a day.

There also seem to be a possibility of a Lolbin as the invocations of MusNotificationUx.exe via MusNotification.exe refer to %SYSTEMROOT% environment variable as opposed to path retrievwed using GetSystemDirectory — still a questionable programmer’s choice prevalent in many native OS binaries.

Finally, there is also a whole list of Toast_* invocations, which I have not figured out yet how to execute properly:

• Toast_CompatIssue
• Toast_DesktopKeepOnReminder
• Toast_DownloadNeedMoreSpace
• Toast_DownloadNeedUserAgreement
• Toast_DownloadNeedUserAgreementPerCTA
• Toast_DownloadNeedWifi
• Toast_DownloadViaCellularNeedUserAgreement
• Toast_EngagedFirstReminder
• Toast_EngagedRebootFailed
• Toast_EngagedRebootWarning
• Toast_EngagedSecondReminder
• Toast_EngagedThirdReminder
• Toast_EnhancedEngagedRebootReminder
• Toast_FailedDiskSpaceCheck
• Toast_FairWarningDesktop
• Toast_FairWarningLaptop
• Toast_FairWarningPolicyNotifyDeadline
• Toast_InstallBlocked
• Toast_InstallNeedEula
• Toast_InstallNeedMoreSpace
• Toast_InstallNeedUserAgreementPerAUPolicy
• Toast_KeepAliveOnBatteryWarning
• Toast_LaptopPlugInReminder
• Toast_LowUptime
• Toast_MeteredConnection
• Toast_NotifyToDownload
• Toast_NotifyToInstall
• Toast_OOBEDownloadInProgress
• Toast_PersistentReadyToReboot
• Toast_PolicyDeadlineEngagement
• Toast_RebootActiveHoursForcedReminder
• Toast_RebootActiveHoursImminent
• Toast_RebootNeedUserAgreementPerAUPolicy
• Toast_RebootOtherUsers
• Toast_RebootReminder
• Toast_SuggestedActiveHours
• Toast_UpdateFailed